Hello,
Pardon me if this reply is off the mark, but I've only glanced at this
thread and noticed that there was a similar vein with our legacy IPA
clients (RHEL 6.x).
Our AD logins also were failing and it was traced down to the two
quoted items below.
> > Unfortunately, setting ldap_user_principal to NoSuchAttr
was not enough in
> > order to make AD user login work. What else could I try? Which logs are
> > relevant here?
&
Btw, if you set 'dns_lookup_kdc = true' you can remove the
MYDOMAIN.AT
section from [realms] at all.
Our configuration required the following items to be set within krb5.conf:
dns_lookup_realm = true
dns_lookup_kdc = true
And the following item within the [domain] section within sssd.conf
had to be present:
krb5_use_enterprise_principal = true
Once all of these changes were set, AD logins on client nodes
functioned without an issue.
HTH,
John DeSantis
Il giorno mer 27 mag 2020 alle ore 02:23 Sumit Bose via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> ha scritto:
>
> On Tue, May 26, 2020 at 05:06:21PM +0200, Ronald Wimmer via FreeIPA-users wrote:
> > On 13.05.20 15:08, Sumit Bose via FreeIPA-users wrote:
> > > On Wed, Apr 08, 2020 at 07:45:35AM +0200, Ronald Wimmer via FreeIPA-users
wrote:
> > > > > On Tue, Jan 29, 2019 at 11:19:22AM +0100, Ronald Wimmer via
> > > > > FreeIPA-users wrote:
> > > > > ...
<
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> > > > > Since you redirected MYDOMAIN.AT to the IPA server in krb5.conf
the
> > > > > client cannot properly send the UPN to an AD DC. You can disable
UPN
> > > > > handling by setting 'ldap_user_principal = noSuchAttr' in
the domain
> > > > > section of sssd.conf on the IPA servers. You have to wait until
the SSSD
> > > > > cache on the server and the client are updated before the client
would
> > > > > start using employeeNumber(a)a.mydomain.at. But I wonder if the
> > > > > redirection to the IPA server is needed in krb5.conf at all ...
> > > > > ...
<
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> > > > > If you replace this line with  .mydomain.at =
LINUX.MYDOMAIN.AT I would
> > > > > expect that libkrb5 will use the LINUX.MYDOMAIN.AT realm whenever
there
> > > > > is a DNS hostname from .mydomain.at is used. This way it should
be
> > > > > possible to add AD DCs to the MYDOMAIN.AT section so that request
which
> > > > > contain the realm explicitly like
'ronald.wimmer(a)MYDOMAIN.AT'
> > > > > would be send to an AD DCs.
> > > >
> > > > Unfortunately, setting ldap_user_principal to NoSuchAttr was not
enough in
> > > > order to make AD user login work. What else could I try? Which logs
are
> > > > relevant here?
> > >
> > > Hi,
> > >
> > > thanks for you patience. Can you send the SSSD domain and krb5_child.log
> > > with debug_level=9 in the [domain/...] section to understand why using
> > > 'ldap_user_principal = noSuchAttr' on the IPA servers does not
help?
> >
> > When I set ldap_user_principal to noSuchAttr on an IPA server and do a "id
> > myusername" it seems I am waiting forever. Would realm mapping in
krb5.conf
> > be sufficient in an IPA client's krb5.conf file or would i have to do that
> > on an IPA server as well?
>
> Hi,
>
> the '.mydomain.at = LINUX.MYDOMAIN' change in the [domain_realm] section
> and the change of the MYDOMAIN.AT from [realms] to point to an AD DC can
> be done on the clients only. But if you want to let AD users
> authenticate on the IPA servers you might need similar changes as well.
>
Btw, if you set 'dns_lookup_kdc = true' you can remove the
MYDOMAIN.AT
section from [realms] at all.
>
> bye,
> Sumit
>
> >
> > Cheers,
> > Ronald
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> > Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...